Implement predictable IPs for mDNS and bind9

This PR adds support for mounting generated predictable IPs and employing them in the relevant pods.
openstack-k8s-operators · Jan 9, 2025 · c803892 · c803892
1 parent 4a66d30
commit c803892
Show file tree

Hide file tree

Showing 29 changed files with 511 additions and 60 deletions.
diff --git a/api/bases/designate.openstack.org_designatebackendbind9s.yaml b/api/bases/designate.openstack.org_designatebackendbind9s.yaml
@@ -109,6 +109,9 @@ spec:
                   But can also be used to add additional files. Those get added to the service config dir in /etc/<service> .
                   TODO: -> implement
                 type: object
+              netUtilsImage:
+                description: NetUtilsImage - NetUtils container image
+                type: string
               networkAttachments:
                 description: NetworkAttachments is a list of NetworkAttachment resource
                   names to expose the services to the given network

diff --git a/api/bases/designate.openstack.org_designatemdnses.yaml b/api/bases/designate.openstack.org_designatemdnses.yaml
@@ -109,6 +109,9 @@ spec:
                   But can also be used to add additional files. Those get added to the service config dir in /etc/<service> .
                   TODO: -> implement
                 type: object
+              netUtilsImage:
+                description: NetUtilsImage - NetUtils container image
+                type: string
               networkAttachments:
                 description: NetworkAttachments is a list of NetworkAttachment resource
                   names to expose the services to the given network

diff --git a/api/bases/designate.openstack.org_designates.yaml b/api/bases/designate.openstack.org_designates.yaml
@@ -515,6 +515,9 @@ spec:
                       But can also be used to add additional files. Those get added to the service config dir in /etc/<service> .
                       TODO: -> implement
                     type: object
+                  netUtilsImage:
+                    description: NetUtilsImage - NetUtils container image
+                    type: string
                   networkAttachments:
                     description: NetworkAttachments is a list of NetworkAttachment
                       resource names to expose the services to the given network
@@ -866,6 +869,9 @@ spec:
                       But can also be used to add additional files. Those get added to the service config dir in /etc/<service> .
                       TODO: -> implement
                     type: object
+                  netUtilsImage:
+                    description: NetUtilsImage - NetUtils container image
+                    type: string
                   networkAttachments:
                     description: NetworkAttachments is a list of NetworkAttachment
                       resource names to expose the services to the given network

diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
@@ -37,6 +37,8 @@ const (
 	DesignateUnboundContainerImage = "quay.io/podified-antelope-centos9/openstack-unbound:current-podified"
 	// DesignateBackendbind9ContainerImage is the fall-back container image for DesignateUnbound
 	DesignateBackendbind9ContainerImage = "quay.io/podified-antelope-centos9/openstack-designate-backend-bind9:current-podified"
+	// NetUtilsContainerImage is the container image containing support for predictable IP pod injection
+	NetUtilsContainerImage = "quay.io/podified-antelope-centos9/openstack-netutils:current-podified"
 )
 
 // DesignateTemplate defines common input parameters used by all Designate services

diff --git a/api/v1beta1/designate_types.go b/api/v1beta1/designate_types.go
@@ -297,6 +297,7 @@ func SetupDefaults() {
 		WorkerContainerImageURL:       util.GetEnvVar("RELATED_IMAGE_DESIGNATE_WORKER_IMAGE_URL_DEFAULT", DesignateWorkerContainerImage),
 		UnboundContainerImageURL:      util.GetEnvVar("RELATED_IMAGE_DESIGNATE_UNBOUND_IMAGE_URL_DEFAULT", DesignateUnboundContainerImage),
 		Backendbind9ContainerImageURL: util.GetEnvVar("RELATED_IMAGE_DESIGNATE_BACKENDBIND9_IMAGE_URL_DEFAULT", DesignateBackendbind9ContainerImage),
+		NetUtilsURL:                   util.GetEnvVar("RELATED_IMAGE_NETUTILS_IMAGE_URL_DEFAULT", NetUtilsContainerImage),
 		DesignateAPIRouteTimeout:      APITimeout,
 	}
 

diff --git a/api/v1beta1/designate_webhook.go b/api/v1beta1/designate_webhook.go
@@ -44,6 +44,7 @@ type DesignateDefaults struct {
 	WorkerContainerImageURL       string
 	Backendbind9ContainerImageURL string
 	UnboundContainerImageURL      string
+	NetUtilsURL                   string
 	DesignateAPIRouteTimeout         int
 }
 
@@ -86,6 +87,9 @@ func (spec *DesignateSpec) Default() {
 	if spec.DesignateMdns.ContainerImage == "" {
 		spec.DesignateMdns.ContainerImage = designateDefaults.MdnsContainerImageURL
 	}
+	if spec.DesignateMdns.NetUtilsImage == "" {
+		spec.DesignateMdns.NetUtilsImage = designateDefaults.NetUtilsURL
+	}
 	if spec.DesignateProducer.ContainerImage == "" {
 		spec.DesignateProducer.ContainerImage = designateDefaults.ProducerContainerImageURL
 	}
@@ -95,6 +99,9 @@ func (spec *DesignateSpec) Default() {
 	if spec.DesignateBackendbind9.ContainerImage == "" {
 		spec.DesignateBackendbind9.ContainerImage = designateDefaults.Backendbind9ContainerImageURL
 	}
+	if spec.DesignateBackendbind9.NetUtilsImage == "" {
+		spec.DesignateBackendbind9.NetUtilsImage = designateDefaults.NetUtilsURL
+	}
 	if spec.DesignateUnbound.ContainerImage == "" {
 		spec.DesignateUnbound.ContainerImage = designateDefaults.UnboundContainerImageURL
 	}

diff --git a/api/v1beta1/designatebackendbind9_types.go b/api/v1beta1/designatebackendbind9_types.go
@@ -78,6 +78,10 @@ type DesignateBackendbind9SpecBase struct {
 	// +kubebuilder:validation:Optional
 	// StorageRequest
 	StorageRequest string `json:"storageRequest"`
+
+	// +kubebuilder:validation:Optional
+	// NetUtilsImage - NetUtils container image
+	NetUtilsImage string `json:"netUtilsImage"`
 }
 
 // DesignateBackendbind9Status defines the observed state of DesignateBackendbind9

diff --git a/api/v1beta1/designatemdns_types.go b/api/v1beta1/designatemdns_types.go
@@ -72,6 +72,10 @@ type DesignateMdnsSpecBase struct {
 	// +kubebuilder:validation:Optional
 	// ControlNetworkName - specify which network attachment is to be used for control, notifys and zone transfers.
 	ControlNetworkName string `json:"controlNetworkName"`
+
+	// +kubebuilder:validation:Optional
+	// NetUtilsImage - NetUtils container image
+	NetUtilsImage string `json:"netUtilsImage"`
 }
 
 // DesignateMdnsStatus defines the observed state of DesignateMdns

diff --git a/config/crd/bases/designate.openstack.org_designatebackendbind9s.yaml b/config/crd/bases/designate.openstack.org_designatebackendbind9s.yaml
@@ -109,6 +109,9 @@ spec:
                   But can also be used to add additional files. Those get added to the service config dir in /etc/<service> .
                   TODO: -> implement
                 type: object
+              netUtilsImage:
+                description: NetUtilsImage - NetUtils container image
+                type: string
               networkAttachments:
                 description: NetworkAttachments is a list of NetworkAttachment resource
                   names to expose the services to the given network

diff --git a/config/crd/bases/designate.openstack.org_designatemdnses.yaml b/config/crd/bases/designate.openstack.org_designatemdnses.yaml
@@ -109,6 +109,9 @@ spec:
                   But can also be used to add additional files. Those get added to the service config dir in /etc/<service> .
                   TODO: -> implement
                 type: object
+              netUtilsImage:
+                description: NetUtilsImage - NetUtils container image
+                type: string
               networkAttachments:
                 description: NetworkAttachments is a list of NetworkAttachment resource
                   names to expose the services to the given network

diff --git a/config/crd/bases/designate.openstack.org_designates.yaml b/config/crd/bases/designate.openstack.org_designates.yaml
@@ -515,6 +515,9 @@ spec:
                       But can also be used to add additional files. Those get added to the service config dir in /etc/<service> .
                       TODO: -> implement
                     type: object
+                  netUtilsImage:
+                    description: NetUtilsImage - NetUtils container image
+                    type: string
                   networkAttachments:
                     description: NetworkAttachments is a list of NetworkAttachment
                       resource names to expose the services to the given network
@@ -866,6 +869,9 @@ spec:
                       But can also be used to add additional files. Those get added to the service config dir in /etc/<service> .
                       TODO: -> implement
                     type: object
+                  netUtilsImage:
+                    description: NetUtilsImage - NetUtils container image
+                    type: string
                   networkAttachments:
                     description: NetworkAttachments is a list of NetworkAttachment
                       resource names to expose the services to the given network

diff --git a/config/default/manager_default_images.yaml b/config/default/manager_default_images.yaml
@@ -25,3 +25,5 @@ spec:
           value: quay.io/podified-antelope-centos9/openstack-designate-backend-bind9:current-podified
         - name: RELATED_IMAGE_DESIGNATE_UNBOUND_IMAGE_URL_DEFAULT
           value: quay.io/podified-antelope-centos9/openstack-unbound:current-podified
+        - name: RELATED_IMAGE_NETUTILS_IMAGE_URL_DEFAULT
+          value: quay.io/podified-antelope-centos9/openstack-netutils:current-podified
diff --git a/controllers/designate_controller.go b/controllers/designate_controller.go
@@ -775,7 +775,11 @@ func (r *DesignateReconciler) reconcileNormal(ctx context.Context, instance *des
 	}
 
 	// Handle Mdns predictable IPs configmap
+	// We cannot have 0 mDNS pods so even though the CRD validation allows 0, don't allow it.
 	mdnsReplicaCount := int(*instance.Spec.DesignateMdns.Replicas)
+	if mdnsReplicaCount < 1 {
+		mdnsReplicaCount = 1
+	}
 	var mdnsNames []string
 	for i := 0; i < mdnsReplicaCount; i++ {
 		mdnsNames = append(mdnsNames, fmt.Sprintf("mdns_address_%d", i))
@@ -798,6 +802,9 @@ func (r *DesignateReconciler) reconcileNormal(ctx context.Context, instance *des
 	}
 
 	// Handle Bind predictable IPs configmap
+	// Unlike mDNS, we can have 0 binds when byob is used.
+	// NOTE(beagles) Really it might make more sense to have BYOB be an explicit flag and not assume that a 0
+	// value is a byob case. Something to think about.
 	bindReplicaCount := int(*instance.Spec.DesignateBackendbind9.Replicas)
 	var bindNames []string
 	for i := 0; i < bindReplicaCount; i++ {
@@ -1586,6 +1593,11 @@ func (r *DesignateReconciler) mdnsStatefulSetCreateOrUpdate(ctx context.Context,
 		instance.Spec.DesignateMdns.NodeSelector = instance.Spec.NodeSelector
 	}
 
+	if int(*instance.Spec.DesignateMdns.Replicas) < 1 {
+		var minReplicas int32 = 1
+		instance.Spec.DesignateMdns.Replicas = &minReplicas
+	}
+
 	op, err := controllerutil.CreateOrUpdate(ctx, r.Client, statefulSet, func() error {
 		statefulSet.Spec = instance.Spec.DesignateMdns
 		// Add in transfers from umbrella Designate CR (this instance) spec
@@ -1598,6 +1610,7 @@ func (r *DesignateReconciler) mdnsStatefulSetCreateOrUpdate(ctx context.Context,
 		statefulSet.Spec.ServiceAccount = instance.RbacResourceName()
 		statefulSet.Spec.TLS = instance.Spec.DesignateAPI.TLS.Ca
 		statefulSet.Spec.NodeSelector = instance.Spec.DesignateMdns.NodeSelector
+		statefulSet.Spec.Replicas = instance.Spec.DesignateMdns.Replicas
 
 		err := controllerutil.SetControllerReference(instance, statefulSet, r.Scheme)
 		if err != nil {

diff --git a/controllers/designatebackendbind9_controller.go b/controllers/designatebackendbind9_controller.go
@@ -2,7 +2,6 @@
 Copyright 2022.
 
 Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
 
     http://www.apache.org/licenses/LICENSE-2.0
@@ -25,6 +24,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -39,6 +39,7 @@ import (
 	designatebackendbind9 "github.com/openstack-k8s-operators/designate-operator/pkg/designatebackendbind9"
 	"github.com/openstack-k8s-operators/lib-common/modules/common"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/configmap"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/labels"
@@ -388,6 +389,19 @@ func (r *DesignateBackendbind9Reconciler) reconcileNormal(ctx context.Context, i
 		return ctrl.Result{}, nil
 	}
 
+	bindIPsUpdated, err := r.hasMapChanged(ctx, helper, instance, designate.BindPredIPConfigMap, designate.BindPredictableIPHash)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+	rndcUpdate, err := r.hasSecretChanged(ctx, helper, instance, designate.DesignateBindKeySecret, designate.RndcHash)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+	if rndcUpdate || bindIPsUpdated {
+		// Predictable IPs and/or rndc keys have been updated, we need to update the statefulset.
+		return ctrl.Result{}, nil
+	}
+
 	instance.Status.Conditions.MarkTrue(condition.ServiceConfigReadyCondition, condition.ServiceConfigReadyMessage)
 
 	// Create ConfigMaps and Secrets - end
@@ -514,7 +528,6 @@ func (r *DesignateBackendbind9Reconciler) reconcileNormal(ctx context.Context, i
 				condition.SeverityWarning,
 				condition.NetworkAttachmentsReadyErrorMessage,
 				err.Error()))
-
 			return ctrl.Result{}, err
 		}
 
@@ -711,12 +724,15 @@ func (r *DesignateBackendbind9Reconciler) generateServiceConfigMaps(
 	cms := []util.Template{
 		// ScriptsConfigMap
 		{
-			Name:               fmt.Sprintf("%s-scripts", instance.Name),
-			Namespace:          instance.Namespace,
-			Type:               util.TemplateTypeScripts,
-			InstanceType:       instance.Kind,
-			AdditionalTemplate: map[string]string{"common.sh": "/common/common.sh"},
-			Labels:             cmLabels,
+			Name:         fmt.Sprintf("%s-scripts", instance.Name),
+			Namespace:    instance.Namespace,
+			Type:         util.TemplateTypeScripts,
+			InstanceType: instance.Kind,
+			AdditionalTemplate: map[string]string{
+				"common.sh":     "/common/common.sh",
+				"setipalias.py": "/common/setipalias.py",
+			},
+			Labels: cmLabels,
 		},
 		// Custom ConfigMap
 		{
@@ -762,3 +778,45 @@ func (r *DesignateBackendbind9Reconciler) createHashOfInputHashes(
 	}
 	return hash, changed, nil
 }
+
+func (r *DesignateBackendbind9Reconciler) hasMapChanged(
+	ctx context.Context,
+	h *helper.Helper,
+	instance *designatev1beta1.DesignateBackendbind9,
+	mapName string,
+	hashKey string,
+) (bool, error) {
+	configMap := &corev1.ConfigMap{}
+	err := h.GetClient().Get(ctx, types.NamespacedName{Name: mapName, Namespace: instance.GetNamespace()}, configMap)
+	if err != nil {
+		r.GetLogger().Error(err, fmt.Sprintf("Unable to check config map %s for changes", mapName))
+		return false, err
+	}
+	hashValue, err := configmap.Hash(configMap)
+	if err != nil {
+		return false, err
+	}
+	_, updated := util.SetHash(instance.Status.Hash, hashKey, hashValue)
+	return updated, nil
+}
+
+func (r *DesignateBackendbind9Reconciler) hasSecretChanged(
+	ctx context.Context,
+	h *helper.Helper,
+	instance *designatev1beta1.DesignateBackendbind9,
+	secretName string,
+	hashKey string,
+) (bool, error) {
+	found := &corev1.Secret{}
+	err := h.GetClient().Get(ctx, types.NamespacedName{Name: secretName, Namespace: instance.GetNamespace()}, found)
+	if err != nil {
+		r.GetLogger().Error(err, fmt.Sprintf("Unable to check secret %s for changes", secretName))
+		return false, err
+	}
+	hashValue, err := secret.Hash(found)
+	if err != nil {
+		return false, err
+	}
+	_, updated := util.SetHash(instance.Status.Hash, hashKey, hashValue)
+	return updated, nil
+}
diff --git a/controllers/designatemdns_controller.go b/controllers/designatemdns_controller.go
@@ -48,7 +48,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/labels"
 	nad "github.com/openstack-k8s-operators/lib-common/modules/common/networkattachment"
-	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
+	oko_secret "github.com/openstack-k8s-operators/lib-common/modules/common/secret"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/statefulset"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
@@ -674,7 +674,7 @@ func (r *DesignateMdnsReconciler) getSecret(
 	envVars *map[string]env.Setter,
 	prefix string,
 ) (ctrl.Result, error) {
-	secret, hash, err := secret.GetSecret(ctx, h, secretName, instance.Namespace)
+	secret, hash, err := oko_secret.GetSecret(ctx, h, secretName, instance.Namespace)
 	if err != nil {
 		if k8s_errors.IsNotFound(err) {
 			h.GetLogger().Info(fmt.Sprintf("Secret %s not found", secretName))
@@ -824,15 +824,39 @@ func (r *DesignateMdnsReconciler) generateServiceConfigMaps(
 	}
 	templateParameters["AllowCIDR"] = cidr
 
+	transportURLSecret, _, err := oko_secret.GetSecret(ctx, h, instance.Spec.TransportURLSecret, instance.Namespace)
+	if err != nil {
+		if k8s_errors.IsNotFound(err) {
+			r.GetLogger().Info(fmt.Sprintf("TransportURL secret %s not found", instance.Spec.TransportURLSecret))
+			instance.Status.Conditions.Set(condition.FalseCondition(
+				condition.InputReadyCondition,
+				condition.RequestedReason,
+				condition.SeverityInfo,
+				condition.InputReadyWaitingMessage))
+			return nil
+		}
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			condition.InputReadyCondition,
+			condition.ErrorReason,
+			condition.SeverityWarning,
+			condition.InputReadyErrorMessage,
+			err.Error()))
+		return err
+	}
+	templateParameters["TransportURL"] = string(transportURLSecret.Data["transport_url"])
+
 	cms := []util.Template{
 		// ScriptsConfigMap
 		{
-			Name:               fmt.Sprintf("%s-scripts", instance.Name),
-			Namespace:          instance.Namespace,
-			Type:               util.TemplateTypeScripts,
-			InstanceType:       instance.Kind,
-			AdditionalTemplate: map[string]string{"common.sh": "/common/common.sh"},
-			Labels:             cmLabels,
+			Name:         fmt.Sprintf("%s-scripts", instance.Name),
+			Namespace:    instance.Namespace,
+			Type:         util.TemplateTypeScripts,
+			InstanceType: instance.Kind,
+			AdditionalTemplate: map[string]string{
+				"common.sh":     "/common/common.sh",
+				"setipalias.py": "/common/setipalias.py",
+			},
+			Labels: cmLabels,
 		},
 		// Custom ConfigMap
 		{
@@ -846,7 +870,7 @@ func (r *DesignateMdnsReconciler) generateServiceConfigMaps(
 		},
 	}
 
-	return secret.EnsureSecrets(ctx, h, instance, cms, envVars)
+	return oko_secret.EnsureSecrets(ctx, h, instance, cms, envVars)
 }
 
 // createHashOfInputHashes - creates a hash of hashes which gets added to the resources which requires a restart